Get Windows Data into Splunk Cloud

Before you begin

Before you begin, you need a high-level understanding of the following concepts:

• Deployment server. A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of forwarders, called "deployment clients". The deployment server is hosted on your premises or your Cloud environment (such as AWS or Azure). For a more detailed description of the components of a deployment server, see Deployment Server Architecture.

• Indexes. The index is the repository for your data. When the Splunk platform indexes raw data, it transforms the data into searchable events. For more information about indexes, see Manage Indexes.

• Source types. A source type is one of the critical default fields that Splunk software assigns to all incoming data. It tells Splunk software what kind of data you have, so that it can format the data intelligently during indexing. For more information, see Why Source Types Matter.

• Splunk Applications and Add-ons. In this configuration, you use the Universal Forwarder app to get data in, and the Splunk Add-on for Windows to simplify the process of getting data in. A Splunk app is an application that runs on the Splunk platform and typically addresses several use cases. Add-ons support and extend the functionality of the Splunk platform and the apps that run on it, usually by providing inputs for a specific technology or vendor. The Splunk Add-on for Windows allows a Splunk software administrator to collect:
  • CPU, disk, I/O, memory, log, configuration, and user data with data inputs.
  • Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of a Windows Server. In some cases, you may need to configure Active Directory audit policy since Active Directory does not log certain events by default.
  • Domain Name Server debug logs from Windows hosts that run a Windows DNS Server. Windows DNS Server does not log certain events by default, and you must enable debug logging. Generally, you need to install the app on your Splunk Cloud instance, and the add-on on your forwarder and Splunk Cloud instance.
  • For more information about add-ons, see About Splunk add-ons.
    • For more information about the Splunk Add-on for Windows, see About the Splunk Add-on for Windows.
    • For more information about best practices in Windows logging see Malware Archeology's cheat sheet: http://www.malwarearchaeology.com/cheat-sheets/ .

• Universal Forwarder. The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data. The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers. Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

Prerequisites in your Splunk Cloud environment

You must meet the following prerequisites before you can get Windows data into Splunk Cloud:

• You must have the sc_admin role on your Splunk Cloud instance.
• Request Splunk Support to install the Splunk Add-on for Microsoft Windows on your Splunk Cloud instance. Ensure you allow adequate time to complete this task before you attempt to get data in.
• Request a 0 MB deployment server license from Splunk Support. Ensure you allow adequate time to complete this task.

Prerequisites in your Windows environment

You must meet the following prerequisites before you can get Windows data into Splunk Cloud:

• You need local Admin access on your Windows machines to install the Splunk Universal Forwarder.
• Open port tcp/9997 outbound on your network firewall to allow communication with the Splunk Cloud indexers.

  If you have security concerns that prevent you from opening multiple ports on your firewall, you may want to create an intermediate forwarding tier to limit the number of open ports. For more information about this topic, see https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf.

• On the server that will host your deployment server, open tcp/8089 inbound to allow communication with the deployment server from deployment clients. This can be a Linux or a Windows server.

Overview

This document walks you through the steps to get your applications, security and system data into your Splunk Cloud instance. There are many other types of Windows data you may want to include in your production environment, but you will likely want these logs at a minimum, and you can add other types of logs, later.

To get Windows data into Splunk Cloud, complete the following high-level steps:

1. Configure indexes on your Splunk Cloud instance. You create an index for each of the types of data you want to bring into you Splunk Cloud deployment.
2. Configure your deployment server. The deployment server allows you to centrally manage the Splunk Forwarders in your environment. Using the deployment server you can configure what data gets collected and where to send it. In this case, you use the deployment server to send data to your Splunk Cloud instance.
3. Configure apps and add-ons on your deployment server. You configure the Splunk Universal Forwarder app on the deployment server, and you configure the Splunk Add-on for Windows on your deployment server. Then you set up server classes so that you can push the configurations to the forwarders on your Windows machines.
4. Configure Universal Forwarders on your Windows Machines. Forwarders are used to collect data and forwarder data to your Splunk Cloud instance.
5. Verify that data is flowing to your Splunk Cloud instance. After configuring the deployment server, add-on and forwarders, check to see if data is flowing to your Splunk Cloud instance.

The following graphic shows how add-on settings and forwarder settings are configured on the deployment server and pushed to groups of forwarders on the customer site. When you have configured all your settings, you can push updates to all your forwarders from the deployment server:

Step 1: Configure indexes on your Splunk Cloud instance

First, you need to create indexes to store the events you send from your Windows machines. It's a best practice to create separate indexes for different types of data. This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes. In this step, you create the following indexes:

• wineventlog - store windows event logs
• perfmon- store windows performance data
• msad - store Microsoft Active Directory data
• dns - if collecting, store dns data
• dhcp - if collecting, store dhcp data

To create these indexes, complete the following steps:

1. From your Splunk Cloud instance, go to Settings > Indexes.
2. Click New Index.
3. For the index name, enter wineventlog.
4. For index data type, select Events.
5. For searchable time (days), enter 90.
   • Optionally, you can extend your storage for longer if you have different requirements. By default Splunk Cloud provides 90 days of searchable storage.
6. Click No Additional Storage, and click Save:

   You can also set up different types of storage for expired Splunk Cloud data (such as self-storage or archiving).

   

7. Repeat these steps for each of the following indexes:
   • perfmon
   • msad
   • dns
   • dhcp.

Step 2: Configure your Splunk Deployment Server

The deployment server is an instance of Splunk Enterprise that you install on a Windows or Linux machine and configure as a deployment server. In this step, you configure the deployment server (Windows OS) with the deployment server license and the Universal Forwarder App.
Follow the steps below to configure the Splunk deployment server:

1. Download Splunk Enterprise.
   From Splunk.com download an instance of Splunk Enterprise and install it on its own Windows machine (do not install on the same machine as a Universal Forwarder). You use this Splunk Enterprise instance as your deployment server. Download the link here.
2. Configure HTTPS for Splunk Web.
   1. From the Splunk Enterprise instance you installed, go to Settings > Server settings > General Settings
   2. In the field, Enable SSL (HTTPS) in Splunk Web, click Yes, and click Save:

      This is a best practice for security. For additional security you can add your own certificate instead of using the default certificates.

      
   
   
3. Install the Universal Forwarder App.
   1. Log into your Splunk Cloud instance. Under Apps, click Universal Forwarder, then click Download Universal Forwarder Credentials:
   
   
   2. On your deployment server (the Splunk Enterprise instance you will use as a deployment server) go to Apps > Manage Apps > Install Apps from file, and click Upload to upload the Universal Forwarder app:
   
   
4. Configure the licensing for the deployment server.
   1. From Settings > Licensing use the license to configure the Splunk instance as a deployment server.

      This is the license you requested from Splunk Support in your prerequisites.

   2. Click Restart later.

Step 3: Configure Apps and Add-Ons on your Deployment Server

Now, you add the Universal Forwarder app and the Splunk Add-on for Windows to your deployment server so that it can push forwarder and add-on configurations to all of the forwarders you install:
Follow the steps below to configure apps and add-ons on your deployment server:

1. Go to Splunkbase and download the Splunk Add-on for Microsoft Windows.
   As a best practice, verify that the add-on is valid for Splunk Cloud and the version you have installed:
   
   
   
   
2. On your deployment server, click Apps > Manage Apps > Install Apps from file, and click Upload to upload the Splunk Add-on for Microsoft Windows you downloaded from splunkbase.
3. Verify these folders are in the right directory by going to Windows > Program Files > Splunk > etc > apps and checking for the following folders:
   • 100_<splunk cloud stack name>_splunkcloud
   • Splunk_TA_windows
4. Copy these folders to the following directory: Windows > Program Files > Splunk > etc > deployment-apps
   After copying the folders, make sure that no local folder exists under the Splunk Forwarder app Windows > Program Files > Splunk > etc > deployment-apps > 100_<splunk cloud stack name>_splunkcloud. If a local folder exists, delete it. This folder gets created when the app is installed but you need a unique outputs.conf for each forwarder. This gets recreated when the Universal Forwarder restarts.
5. Verification step: return to the Forwarder Management console by going to Settings > Forwarder management. The Universal Forwarder app and the Splunk Add-On for Microsoft Windows should be listed under the Apps tab.
6. Configure and customize the Windows data collection add-ons.
   1. Return to Windows > Program Files > Splunk > etc > deployment-apps.
   2. Make copies of the Splunk_TA_windows folder for each of the types of Windows instances that you want to get data from.
   3. Rename each of the folders so that they represent your different Windows servers. For this example, create the following folders:
      • Splunk_TA_windows_DomainController
      • Splunk_TA_windows_server
      • Splunk_TA_windows_client
      • Splunk_TA_windows_GlobalCatalogServer
   4. Navigate to Windows > Program Files > Splunk > etc > deployment-apps > Splunk_TA_windows_server.
   5. In the folder, create a new folder called local This is a Splunk best practice and ensures that your configuration changes are saved during an upgrade. Also, this provides a way to revert back to the original configurations if some settings are misconfigured.
   6. From Windows > Program Files > Splunk > etc > deployment -apps > Splunk_TA_windows_server > default Copy the file, inputs.conf into your local folder.
   7. Using a file editor, open the inputs.conf file for editing. As a best practice, use Wordpad or Notepad ++ rather than Notepad, which does not handle word wrapping correctly by default.
   8. You can go to the documentation and look in the Source Types for Windows Add-Ons to ensure that your sources are represented by this add-on. In this instance, you configure the add-on to get data in for the following Windows Event Logs:
      • Application
      • Security
      • System
   9. To get the Application log data in, modify the inputs.conf file in the following way:
      1. For WinEventLog://Application set disabled=0. This enables the input.
      2. Add an entry for the location of the index by adding the following line to the stanza: index=wineventlog (this is the index you configured previously).
      3. Your stanza should now look like this (the bold font shows which lines are changed or added):
         [WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=wineventlog

   10. To get the Security Log data in, you modify the inputs.conf file in the following way:
       1. For WinEventLog://Security, set disabled =0.
       2. Add an entry for the location of the Security log files by adding the following stanza: index=wineventlog .
       3. Your stanza should now look like this (the bold font shows which lines are changed or added):
          [WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index=wineventlog

7. Save the file.
8. Verification step: return to the Forwarder Management console by going to Settings > Forwarder management. The Universal Forwarder app and the Splunk Add-On for Microsoft Windows and the modified ones you created should be listed under the Apps tab.
9. Create and configure a server class inside the Forwarder Management Console.
   1. Under the Server Classes tab click New Server Class.
   2. Enter outputs as the server class name and click Save. In this case, name the server class outputs because it sets the outputs.conf file for the forwarders.
   3. When you save these changes, you are taken to a screen to add apps or a client. Click Add Apps. Now, select the Universal Forwarder app. The name of the Universal Forwarder app are unique to your Splunk Cloud instance (ex. 100_<stack_name>_splunkcloud). Clicking on the name adds it to the right hand side. Now click Save.
   4. Under Actions for the Universal Forwarder' app, click Edit.
   5. Select theEnable App and Restart Splunkd the checkbox. Setting restart Splunkd allows you to restart the forwarder after you push changes to the apps via the deployment server. Now click Save.
   1. Navigate back to the Server Classes tab
   2. For the outputs server class, Click Edit > Edit Clients.
   3. In the Include (whitelist) box, enter a wildcard (*) so that the Universal Forwarder app is deployed to all of your Universal Forwarders as they get installed and phone home to the deployment server.
   6. Repeat steps a-f for another server class called Windows servers.
      • For step b customize for Windows servers.
      • For step c customize to the Splunk_TA_windows_Server app.
10. Verification step: when you view the apps from the deployment server, you should see that the app is enabled and restart splunkd is also enabled.

Step 4: Install the Splunk Universal Forwarder on your Windows Servers

Now you need to install a Universal Forwarder on each of the Windows servers from which you want data. The easiest way to do this is to run the installer on your server:

1. From splunk.com, download the Universal Forwarder to your Windows server.
2. Once the download is complete, click on the file to start the install.
3. Clear the checkbox Uncheck if you want to use Splunk Cloud.
4. Set a username and password.
5. In the Deployment Server field, enter the name of the deployment server. For example, win2016-splk-ds. As a best practice, include the full DNS name. For the port, enter port 8089 to allow the Universal Forwarder to communicate with the deployment server.
6. Click Next, and click Install. The forwarder is installed on your server, and you have instructed it to check the deployment server for configuration settings. Once the forwarder is running, it checks with the deployment server and downloads any apps you have configured. In this case, it downloads the Universal Forwarder app and the Splunk Add-on for Windows.
7. Repeat these steps for each of the Windows machines where you want to send data to Splunk Cloud.
8. Verification step: to verify that your forwarders are configured correctly, you can return to your deployment server, and from the Forwarder Management page, check to see if your clients have checked in. If the clients (forwarders) have checked in, you can see them listed in the Clients tab on the Forwarder Management page.

Step 5: Verify that Data is Flowing to Splunk Cloud

After you have configured the deployment server and universal forwarders, return to the Splunk Cloud instance to see if data is flowing to Splunk Cloud:

1. From your Splunk Cloud instance, go to Apps > Search and Reporting.
2. In the search field, enter index=_internal host!= "*.splunkcloud.com" .
   This search allows you view events from any host that is not a splunkcloud.com instance. So, you should be able to see any other hosts that are sending data to your Splunk Cloud instance.
3. For the time range, select presets > last 30 days. This allows you to start seeing data more quickly because the oldest events populate first.
4. Click the search icon.
5. Events from your Windows machines should display. In the left pane, a list of fields displays. Under the Host field you can see which forwarders are sending data to Splunk Cloud.